https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065107#M895135 <HTML><HEAD></HEAD><BODY><P>As far as I know there are some recommended practices allow you to summarize and simplify your ACE entries:</P><P></P><P>1)Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.</P><P>2)Use 'any' instead of networks, and use networks instead of hosts when possible.</P><P>3)Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.</P><P>4)Group together individual port statements into a range.</P><P></P><P></P></BODY></HTML> Fri, 17 Oct 2008 15:04:47 GMT bwilmoth 2008-10-17T15:04:47Z https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065106#M895134 <P>Hello all,</P><P>Can anyone point me to a software product (preferably Cisco) that will analyze a PIX 6.3 firewall rule set and determine which ACLs are not in use and which object groups are not referenced by any ACLs? I know I can show access-list to see hit counts, but this firewall has thousands of rules.</P><P></P><P>Thanks,</P><P> Matt</P> Mon, 11 Mar 2019 13:56:53 GMT https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065106#M895134 MATTHEW BECK 2019-03-11T13:56:53Z https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065107#M895135 <HTML><HEAD></HEAD><BODY><P>As far as I know there are some recommended practices allow you to summarize and simplify your ACE entries:</P><P></P><P>1)Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.</P><P>2)Use 'any' instead of networks, and use networks instead of hosts when possible.</P><P>3)Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.</P><P>4)Group together individual port statements into a range.</P><P></P><P></P></BODY></HTML> Fri, 17 Oct 2008 15:04:47 GMT https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065107#M895135 bwilmoth 2008-10-17T15:04:47Z https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065108#M895138 <HTML><HEAD></HEAD><BODY><P>sh access-list | inc hitcnt=0</P><P>enter</P><P></P><P>This will only give the non-matched lines. </P><P>dump the results into excel with the ( as a text delimiter. This will clip off the hitcnt=0) 0x15abbe7c from the end of the lines. The drop it into notepad and you can replace "access-list" with "no access-list"</P></BODY></HTML> Fri, 17 Oct 2008 19:55:53 GMT https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065108#M895138 josh 2008-10-17T19:55:53Z https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065109#M895140 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Actually, that won't work with object groups like I have configured. When you do the show access-list command you get:</P><P></P><P>access-l YYY line 1 perm...</P><P>access-l YYY line 1 perm...</P><P>access-l YYY line 1 perm...</P><P>access-l YYY line 2 perm...</P><P>access-l YYY line 2 perm...</P><P></P><P>If I try to no out anything but the first line which includes the name of the object groups, I'm going to get an error. And I definitely don't want to delete the entire line because only 1 object in the group may be unused - the rest will be valid.</P><P></P><P>Thanks, and enjoy your weekend.</P><P></P><P>Matt</P></BODY></HTML> Fri, 17 Oct 2008 20:07:19 GMT https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065109#M895140 MATTHEW BECK 2008-10-17T20:07:19Z https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065110#M895144 <HTML><HEAD></HEAD><BODY><P>For the access-lists you could do it manually like the following.</P><P></P><P>Firsto do a:</P><P></P><P>show access-l | inc elements</P><P></P><P>Then compare it with:</P><P></P><P>show run access-group</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Sun, 19 Oct 2008 05:41:44 GMT https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065110#M895144 Farrukh Haroon 2008-10-19T05:41:44Z https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065111#M895146 <HTML><HEAD></HEAD><BODY><P>I've done this before and it was VERY painful.</P><P></P><P>Here is what i did:</P><P></P><P>1- Use a freeware tool call odumper/ofiller,</P><P>written by a Checkpoint engineer to dump</P><P>the rules and object into a Checkpoint </P><P>SmartCenter</P><P></P><P>2- In the Checkpoint security, I can use the</P><P>"right-click" functions to findout which </P><P>objects have NOT been used. This can be </P><P>relatively quickly</P><P></P><P>3- Use Cisco conversion tool to convert</P><P>Checkpoint rule back into Pix rules. </P><P></P><P>Step 1 and 2 worked quite well but step</P><P>3 was a big mess especially when you have</P><P>a large security policy. </P><P></P><P>my 2c.</P></BODY></HTML> Sun, 19 Oct 2008 09:33:43 GMT https://community.cisco.com/t5/network-security/identify-unused-acls-and-object-groups/m-p/1065111#M895146 cisco24x7 2008-10-19T09:33:43Z